Index: net/cert/cert_verify_proc_mac.cc |
diff --git a/net/cert/cert_verify_proc_mac.cc b/net/cert/cert_verify_proc_mac.cc |
index 15d07f3e2c4ca85bb80c9984121fc2dd85f9c1c3..c9ca384b96973260dc26e126225d0bebe40ec51c 100644 |
--- a/net/cert/cert_verify_proc_mac.cc |
+++ b/net/cert/cert_verify_proc_mac.cc |
@@ -988,14 +988,6 @@ int VerifyWithGivenFlags(X509Certificate* cert, |
break; |
} |
- // Perform hostname verification independent of SecTrustEvaluate. In order to |
- // do so, mask off any reported name errors first. |
- verify_result->cert_status &= ~CERT_STATUS_COMMON_NAME_INVALID; |
- if (!cert->VerifyNameMatch(hostname, |
- &verify_result->common_name_fallback_used)) { |
- verify_result->cert_status |= CERT_STATUS_COMMON_NAME_INVALID; |
- } |
- |
// TODO(wtc): Suppress CERT_STATUS_NO_REVOCATION_MECHANISM for now to be |
// compatible with Windows, which in turn implements this behavior to be |
// compatible with WinHTTP, which doesn't report this error (bug 3004). |
@@ -1005,6 +997,10 @@ int VerifyWithGivenFlags(X509Certificate* cert, |
verify_result->is_issued_by_known_root = |
g_known_roots.Get().IsIssuedByKnownRoot(completed_chain); |
+ // Hostname validation is handled by CertVerifyProc, so mask off any errors |
+ // that SecTrustEvaluate may have set, as its results are not used. |
+ verify_result->cert_status &= ~CERT_STATUS_COMMON_NAME_INVALID; |
+ |
if (IsCertStatusError(verify_result->cert_status)) |
return MapCertStatusToNetError(verify_result->cert_status); |